Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

mdedetrich · 2014-12-03T02:13:58Z

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
tornadoweb/tornado#1009 (comment)
https://docs.angularjs.org/api/ng/service/$http

Long story short, due to a JSON security vulnerability, sites can output their json in the form of

{"d": ["Philha", "my-confession-to-crimes", 7423.42]}

Which represents the original json value of

["Philha", "my-confession-to-crimes", 7423.42]

Alternately (and my webserver does this), it can prelude the original JSON with the following string

)]}',\n

So the previous example would look like

)]}',
["Philha", "my-confession-to-crimes", 7423.42]

The require.js JSON plugin should account for this, currently it fails parsing with the following error message

SyntaxError: JSON Parse error: Unexpected token ')'

(when using the prelude version)

The text was updated successfully, but these errors were encountered:

mdedetrich changed the title ~~Parse JSON that has has been formatted with the Json Array Vulnerability Protection~~ Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection Dec 3, 2014

mdedetrich linked a pull request Dec 3, 2014 that will close this issue

Implemented JSON security vulnerability detection, reference retrieved f... #60

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

mdedetrich commented Dec 3, 2014

Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

Comments

mdedetrich commented Dec 3, 2014